Researchers reveal new online user tracking techniques

Researchers have identified a number of online user tracking techniques that can’t be blocked by browsers’ built-in anti-tracking defenses and existing anti-tracking and ad-blocking extensions.

The good news is that they’ve also scanned the Alexa Top 10,000 most popular sites and found no evidence that these techniques are already being used by user tracking services and advertisers.

The research

Tracking of users’ online activities is done via cookies and they are, by default, automatically attached by browsers to all HTTP requests. Often the tracking is done for authorized purposes: it allows users to keep track of the items they have added to their online shopping baskets or to log in to their favorite websites.

“However, cookies may also be exploited for more nefarious goals: users’ online activies are tracked at large-scale by various advertising companies, or so-called cross-site attacks can be used to take over the account of an unwitting user. As a response to this increasing threat surface, a variety of defense mechanisms have been developed: either as anti-tracking or ad-blocking browser extensions, or as built-in browser features such as the Tracking Protection in Firefox, or SameSite cookies, which can be highly effective at thwarting cross-site attacks,” Gertjan Franken, Tom Van Goethem and Wouter Joosen from the Catholic University in Leuven (Belgium) explained.

For these privacy- and security-enhancing features to function properly all requests must comply with the imposed cookie policies – and they don’t.

“In our research, we created a framework to verify whether all imposed cookie- and request-policies are correctly applied. Worryingly, we found that most mechanisms could be circumvented: for instance for all ad-blocking and anti-tracking browser extensions we discovered at least one technique that could bypass the policies,” they group noted.

They tested 7 browsers, 31 ad blocking and 15 anti-tracking extensions. They pinpointed 7 categories of request-triggering mechanism that can be used for user tracking on at least one tested setup.

These tracking techniques take advantage of:

The (deprecated, but still supported) AppCache API and its replacement Service Worker (SW) API

Javascript in PDFs

HTML tags

Response headers

Various redirects

Javascript APIs.

For more a more in-depth look at their discoveries, check out the researchers’ paper, which won the Distinguished Paper prize and the Internet Defense Prize at the Usenix Security Symposium that took place last week in Baltimore, Maryland.

What now?

The researchers have been reporting the discovered issues to browser vendors and extension developers and have been working with them to fix them. Some already have been, and some won’t be (e.g., those tied to the AppCache API, as it’s deprecated).

Let’s hope that the rest of the fixes land before some enterprising tracking services start using this research to improve their effectiveness.